It's already July...when will we get free SSL?

Be patient. It's on schedule. As you may imagine, having CFSSL in place and rock solid is a requirement for making SSL available to everyone.

I can't wait for free SSL

CFSSL name is overloaded with CoreFoundation's CFNetwork SSL socket names :-) as an apple mac and iOS developer I was very confused.

It's already July...when will we get free SSL?

Why to go with http api server? Aren't api request and responses contains sensitive information? So shouldn't we default to https instead of http?

I found that the expiry of generated root certificate is only 5 years. Is there any way to specify the time limit for the generated root certificate?

What's the update on CFSSL ?
How is CloudFlare using it now, any improvement?
thanks.

Hi,
How can one install and configure CFSSL for uses like:

1) Replace a MS CA for internal network (pc/laptop/servers/users) in a MS domain?
2) For my own external facing website ?
3) For external devices connecting into my internal network ?
4) with ECDSA
5) auto deploy, auto renewals, auto cleanups, plus can tied to AD.

Thanks.

This is awesome. Looks like I'll be able to use this to automate my company's TLS request/renewal workflow. Thanks for making it open-source.

Nice one guys.. Will be really useful tool.

Really nice! Are there binaries available? Say, for Linux 64 bits? Just wondering, since I don't have the Go stack installed.

OR you could just use EJBCA...

CFSSL is easier to use for CloudFlare-customers. CFSSL is open-source in full mode (like EJBCA Enterprise, which is paid) with full compability of all existing browsers. CloudFlare have more knowledges on what users need, because CloudFlare have much more users than EJBCA. CloudFlare can adopt faster to the changes in IT-world.

EJBCA is also open-source and if you'd like to receive support for EJBCA, you can pay for EJBCA Enterprise - but that's about it. A few things in CFSSL are of questionable impact for security, e.g. the "gencert" function does ask the issuing CA to create a private key AND issue a matching certificate in one step. This looks handy from a users perspective, but results in the fact that the issuing CA technically can keep a copy of the private key - which may become compromised or misused without the users consent or knowledge. So from a security perspective, this function should never be used, unless you're also operating the CA and really do know what you're doing :-) If you're looking for a light-weight, open-source CA-solution, r509.org also comes to my mind. CFSSL is still an interesting software: to bundle certificates with their intermediate certificates.

Nice! Looking forward to the TPM integration as well, that would be very helpful.

This is pretty cool sounding. Can I ask something, though? As I only have the most basic understanding of what's going on here.

We have a wildcard SSL certificate, so it validates *.our.domain.com. Could we use this utility and that certificate to generate valid (And trusted) SSL certificates for say specificsubdomain.our.domai... or have I misunderstood this?

Technically, you can use your existing key/cert to sign and issue new certificates - but nobody is willing to trust them, as your certificate is lacking a special usage bit for this kind of operation. There are also technical options (x509v3 name restrictions) to limit the kinds of certificates you could issue, but they're not that wide spread that these options can be enforced. As a consequence, no CA today will issue a CA-certificate which is restricted to issue certificates for anything below .our.domain.com.

This tool does not let you change the contents of an already existing certificate. The only way to get a trusted certificate is buying one through a CA. This tool can make sure that when you use that certificate for your website, it is accessible from all browsers.

say I am neoKushan, and I install cfssl, my bundle certificate would look like this:
neoKushan leaf → GlobalSign SHA2 Intermediate → GS Root G2

What are the commands needed to create a internet/production ready CA, that can generate certificate for any server on my domain "xxxxx.our.domain.com"?
What do I need from or give to GlobalSign to get my CA certify? so that I can start creating certs?
Do I need a special certificate or just generate a CSR on the cfssl server, and buy a 3-year normal certificate?
How do I go about certifying all my windows servers?
Can these be scripts using powershell ?
Thanks.

Ah ok, thanks for the response!

good work! will come handy :D

Very cool - love seeing what you guys are up to.